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then two interferometers and detectors 



(57) A method and apparatus for secure distribution of 
cryptographic key information is described based on 
quantum cryptography. The apparatus incorporates a 
transmitter 1 comprising a source of pairs of dim, 
depolarised light pulses together with a phase modulator 
5 and random number generator 6 that are used to encode 
the pulse pairs with the binary key information by 
changing the relative phases of the pulses of some pairs. 
The apparatus incorporates a receiver 13 comprising a 
polarisation beam splitter 14, and a pair of interferometers 
16,17 and optical detectors 19,20. Detector 19 determines 
when the phase difference between the pulses of a 
received pulse pair is indicative at a r O' output from the 
random number generator, and detector 20 determines 
when the phase difference is indicative of a 'V output. The 
invention overcomes problems associated with 
polarisation evolution in a non-polarisation-preserving 
optical channel 12 (e.g. standard optical fibre). In addition 
the invention removes the need for an active random 
number generator and phase modulator at the receiver, 
because the polarisation beam splitter acts as if it were a 
random router. 
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Method and Apparatus for use in Encrypted Communication 

BACKGROUND TO THE INVENTION 

1. Field of the Invention 

The present invention relates to a method for use in 
5 encrypted communication and to apparatus for use in the 
method; it is primarily concerned with a technique for 
establishing cryptographic key information. In particular it 
relates to a technique known as quantum cryptography. In 
quantum cryptography fundamental physical laws are exploited 
10 to guarantee the secrecy of cryptographic keys transmitted 
over communication channels that may be subject to 
eavesdropping . 

2. Description of the prior Art 

Secure digital communication between two parties can in 
15 principle be achieved using the techniques of classical 
'secret key' cryptography in which a publicly available 
algorithm that is activated by a secret and preferably random 
bit sequence (key) is used for encryption and decryption of 
transmitted information. In such a scheme the security of the 
20 system hinges entirely upon the secrecy of the key, and the 
users of the system must therefore ensure that any process 
used to establish, transmit, share or distribute the key is 
not susceptible to eavesdropping. This problem of 
establishing a key securely has conventionally been 
25 addressed, for example, by the use of trusted couriers or by 
the use of 'public key' encryption techniques that allow the 
key to be transmitted in encrypted form over an insecure 
communication channel. However, the security of these 
methods cannot be guaranteed in principle: the former relies 
30 on the trustworthiness of the courier and the latter upon 
unprovon assumptions concerning the difficulty of factoring 
largo numbers. By contrast, quantum cryptography provides a 
mothod of establishing a key whereby the secrecy of the key 
«:.,n in principle be guaranteed since security is based upon 
35 f urn lament, a 1 physical laws. 



In quantum cryptography the key information is encoded 
in a characteristic (in practice polarisation or phase) that 
can be carried by single optical photons that are transmitted 
over an optical path linking the two users of the system. In 

5 practical terms, encoding of single photons is not needed, 
and the signal transmitted is normally a notional encoded 
pulse sequence of so low an intensity that the probability of 
an individual pulse being observed to contain more than one 
photon is small. Typically the intensity will be such that 

10 only about one pulse in ten contains even one photon and the 
proportion containing two or more photons is less than one in 
a hundred. Pulses meeting this requirement will be referred 
to as "dim" pulses. The quantum properties of such signals 
ensure that any attempt at eavesdropping during transit will 

15 yield only partial information on the key and will also 

generate errors that are detectable by the legitimate users 
of the apparatus, since any photon detected by an 
eavesdropper is likely either to fail to reach its intended 
destination or to have been changed by the detection process. 

20 The quantum cryptography protocol exploits these fundamental 
properties to allow the legitimate users of such a 
communication channel to establish a shared, authenticated 
and certifiably secret key. The users can then employ the 
secret key together with an encryption algorithm such as the 

25 one-time-pad, for example, to encrypt and decrypt sensitive 
information that they wish to exchange in either direction. 

The original quantum cryptography protocol formulated by 
C. H. Bennett and G. Brassard is described in their 
publication entitled 'Quantum Public Key Distribution 

30 System', IBM Technical Disclosure Bulletin, 28, 3153 (1985). 
This paper describes a system in which dim pulses of 
polar i sat ion-encoded light are used to distribute the key 
information over an optical channel called the 'quantum 
channel' . Tn such a scheme the transmitter A and t he receiver 

15 H must, .share and maintain a common polarisation roieronce 

Irani., such that ,i vertically polarised pulse transmit ted by A 



is received as a vertically polarised pulse by B, for 
example. This leads to the requirement for a polarisation 
maintaining quantum channel since any polarisation changes 
induced by the channel will increase the error rate in the 
5 system and so may make the system insecure or wholly 
ineffective. Standard optical communications fibre is 
potentially an excellent low loss medium that could be used 
to provide a quantum channel. However, the optical 
polarisation is not maintained in this type of fibre and 
10 instead tends to evolve and fluctuate with time. This is 

caused by environmental variations that lead to unpredictable 
fluctuations in the fibre birefringence. In principle an 
active polarisation controller can be used to track and 
compensate these polarisation changes, but this adds 
15 significantly to the cost and complexity of the quantum 

cryptography apparatus. In a subsequent publication "Quantum 
Cryptography Using Any Two Non-Orthogonal States", Physical 
Review Letters, 68, 3121 (1992), C. H. Bennett described an 
interferometric version of quantum cryptography in which dim 
20 pulses of light are phase encoded within a Mach-Zehnder 
interferometer that forms the basic quantum channel. In 
principle such an interferometric scheme can be immune to 
polarisation variation in the transmission fibre. This is 
because interference 'visibility' does not depend on the 
25 specific polarisation states of the interfering optical field 
components, only upon relative differences in these 
polarisation states. In practice, however, real 
implementations of this scheme are not immune to polarisation 
variations in the transmission fibre, because the optical 
30 components such as fibre couplers and phase modulators that 
.ire used to fabricate the transmitter and receiver parts of 
such a sy.st.em typically exhibit birefringence and other 
F .oldi is.ition dependencies. In general the degrees of 
bire1tingor.ee in the spatially separated paths within the 
15 inter terorneter will not be i.l'tit. ical and this leads to 
v.. ri.it ions in the rela t i vr |.i .• 1 .i r i sat ion states of the 



interfering optical fields when the polarisation in the 
transmission fibre evolves. C. Marand and P. D Townsend 
demonstrated a practical version of this interf erometric 
approach using four non-orthogonal phase states in the paper 

5 "Quantum Key Distribution Over Distances as Long as 30km", 
Optics Letters, 20, 1695 (1995). Their experimental quantum 
cryptography system required active polarisation control to 
avoid the deficiencies described above. Subsequently 
H. Zbinden, et al proposed an alternative solution to this 

K) problem in the publication " Interf erometry with Faraday 
Mirrors for Quantum Cryptography", Electronics Letters, 33, 
586 (1997). In this approach the dim, phase encoded optical 
pulses are also polarised and also undergo a time dependent 
polarisation evolution in the fibre. However, by transmitting 

15 the optical pulses in both directions over the fibre and 

using a Faraday mirror to perform the reflection function the 
polarisation evolution can be automatically compensated via 
the non-reciprocal properties of the Faraday Effect. This 
advantage is only obtained, however, at the penalty of the 

20 additional cost and complexity associated with the use of the 
Faraday mirror based design. Recently G. Bonfrate et al 
demonstrated a compact, potentially low cost interferometer 
for quantum cryptography based on waveguide integrated optics 
in a publication entitled "Asymmetric Mach-Zehnder Germano- 

25 Silicate Waveguide Interferometer for Quantum Cryptography 
Systems", Electronics Letters, 37, 846 (2001). The Faraday 
mirror based design is not amenable to monolithic integration 
using such waveguides since germano-silicate does not exhibit 
the Faraday effect. 

3D One of the present inventors has proposed in W097/M4936,^ 

a technique lot establishing a key in a method of using a 
non-poJarisati on-preserving optical link in which a first 
party i.o the communication (referred to as the transmitter, 
os it is the pdrly that, transmits by the quantum channel, 

35 though it may be either the transmitter or the receiver, ut 



both by turns, of the eventual encrypted signal) sends to a 
second party (the receiver) a signal comprising pairs of 
effectively unpolarised dim pulses obtained by delaying a 
traction of the signal by a constant predetermined time 

5 interval; at the receiver, a component of the signal that is 
polarised in a predetermined direction is selected by a 
polariser, and the relative phases of pulse pairs in that 
component are determined by delaying a substantially equal 
fraction of the signal by substantially the same 

10 predetermined interval, so that the pulses that were delayed 
in the transmitter but not in the receiver are brought into 
coincidence with those which were delayed in the receiver but 
not in the transmitter, whereby interference occurs, and 
phase differences between pairs of pulses are distinguished 

15 by observations responsive to the nature of such 

interference. It will be noted that the apparatus described 
requires a receiver that is active in the sense that it 
contains an active phase modulator driven by a random number 
generator, a polariser (which necessarily has an insertion 

20 loss of at least -3dB) and several polarisation controllers 
at different points. 
SUMMARY OF THE INVENTION 

The present invention provides an alternative to this 
technique in which the need for an active receiver, a 

25 polariser and polarisation controllers is avoided, with a 
beneficial effect on complexity and cost. 

According to one aspect of the present invention, a 
method of establishing a key between a transmitter and 
receiver by quantum cryptography using a non-polarisation- 

30 preserving optical link in which the transmitter sends to the 
receiver a signal comprising pairs of effectively unpolarised 
dim pulses obtained by delaying a fraction of the signal by a 
coriytant predetermined time interval; and in which at the 
i<:c:iver a component of the signal th.it is polarised in a 

;>s 1. 1 «•<.!<• termined direction is selected, .md the phase 



differences between pairs of pulses in that component are 
determined by delaying a substantially equal fraction of the 
signal by substantially the same predetermined interval, so 
that the pulses that were delayed in the transmitter but not 

5 in the receiver are brought into coincidence with those which 
were delayed in the receiver but not in the transmitter, 
whereby interference occurs, and phase differences between 
pairs of pulses are distinguished by observations responsive 
to the nature of such interference and is characterised by 

10 selecting at the receiver two orthogonally polarised 

components and separately detecting the relative phase of 
pulses in each of those components. 

A significant advantage of the invention is that the 
interferometers in the receiver are passive in the sense they 

15 do not need to contain active phase modulators driven by 

random number generators; quantum cryptography receivers are 
typically required to randomly and dynamically switch between 
two measurement phase shifts, for example 0° and 180°, that 
are characteristic of two non-orthogonal phase coding 

20 representations used in the system. In contrast, in operation 
of the present invention, one interferometer can be set to 
continuously detect one coding representation (e.g. phase 
shift of 0°) and the other interferometer to continuously 
detect the other coding representation (e.g. phase shift 

25 of 180°) . In this way an active receiver design is replaced by 
a totally passive receiver design thereby reducing complexity 
and cost. 

Hitherto such passive detection schemes used in quantum 
cryptography were based upon the 'random routing' of quantum 
™ .signals incident on a SO: 50 beam-splitter. The present 

inventors have realised however that dim depolarised optical 
pulses incident on a polarisation splitter wilJ also exhibit 
,\ similar x random routing' effect. 

Pulses are to be considered etfectively unpolarised if 
?s t hoy have substantially equal components of mutually 



perpendicular, mutually incoherent linear polarisation, so 
that the two orthogonally polarised components will be 
substantially equally populated; they could be obtained from 
an inherently unpolarised source, but preferably they are 

5 derived from a linearly polarised source, for example a 
pulsed laser, by a "depolariser" that splits light into two 
substantially equal components, rotates the plane of 
polarisation of one of the components by 90° and then 
recombines them: a preferred form of depolariser will be 

10 described. 

Our preference is that the fraction of the signal that 
is delayed as described is one half; but others may prefer a 
much smaller fraction, for example one tenth, as further 
discussed below. 

15 The invention includes apparatus for use in quantum 

cryptography comprising at least a receiver that comprises an 
interferometer-detector for determining phase differences 
between pairs of pulses in a sequence that was formed in a 
transmitter by delaying a fraction of the signal by a 

20 predetermined interval, the interferometer-detector delaying 
a substantially equal fraction of the signal by substantially 
the same predetermined interval, so that the pulses that were 
deLayed in the transmitter but not in the receiver are 
brought into coincidence with those which were delayed in the 

25 receiver but not in the transmitter, whereby interference 
occurs, and phase differences between pairs of pulses are 
distinguished by observations responsive to the nature of 
such interference characterised in that it includes two such 
interferometer-detectors and a polarisation beam-splitter for 

™ qiving dim pulses access to both of the inter f erometer- 

dot f:?Ct. CM H . 

!i should be noted at this point that, since the 
pr oh.ih i I i t y that the dim pulses will be observed to contain 
mote tii,.!, imo photon is small (typicully loss than IV,), 
*5 sirmi M iiM-'.ns detection events wi.J 1 rarely Ix: observed in the 
i wo i fit i-r | "romoter-det.oct.nr y , Instead, sine- t h<> probability 



of the dim pulses being observed to contain a single photon 
is much higher (typically 10%), the majority of detection 
events will be single events occurring with equal probability 
at either of the interferometer-detectors, but not both. 

5 Hence the polarisation beam-splitter acts in effect as a 
random router for the dim pulses. Most pulses do not lead to 
any detection event. 

Preferably the apparatus includes a transmitter (known 
per se) comprising a source of randomly phase-encoded pairs 

10 of effectively unpolarised dim optical pulses and a non- 
phase-maintaining optical fibre for transmitting such pulses 

to the receiver. 

It will be understood that once the pulse sequence has 
been transmitted and the phase differences of some of the 

15 pulse pairs contained in it determined as described, a key 
must be established from it by dialogue between the 
transmitter and the receiver (which need not be secure, since 
the result of the phase measurements which determine the 
digital values attributed to individual pulse pairs does not 

20 need to be discussed). It follows that the apparatus also 
needs to include, or to be used in conjunction with, 
recording means at the transmitter for maintaining a record 
of the transmitted pulse sequence, recording means at the 
receiver for maintaining a record of the results of phase 

25 measurements made by the interferometer-detectors and a 

further (insecure) communication channel between the receiver 

and the transmitter. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention will now be described in further detail by 

V) way of example only with reference to the accompanying 
drawinqs, in which: 

FIGURE 1 represents a specific embodiment, of the current 
invention based on a waveguide-integrated Mach-Zehnder 

i nt. or 1 <:i ometer; 
15 FICUI'K V is a schematic diagram of a depol ar iser; 



FIGURE 3 is a diagram of another embodiment of the invention; 
and figures 4 and 5 are diagrams illustrating modifications. 
DESCRIPTION OF THE PREFERRED EMBODIMENT 

Figure 1 depicts the characteristic optical part of an 

5 apparatus for establishing a quantum key in accordance with 
the current invention. The transmitter 1 includes a pulsed 
semiconductor diode laser 2, an attenuator 3, a waveguide 
delay stage 4, a phase modulator 5, a random number generator 
6 and a depolariser 7. The delay stage shown is based on the 

10 waveguide integrated Mach-Zehnder (MZ) interferometers 

described by Bonfrate et al in the paper referenced above, 
from which further details may be obtained. The relative 
(probabilistic) amplitudes and temporal positions of the 
components of the dim pulses generated by the transmitter are 

15 shown at various points in the system 8-11- The random bits 
that ultimately generate the cryptographic key are encoded in 
the phase difference of the dim pulse pairs 9 according to 
the Bennett 1992 protocol referred to above. That is to say 
the random number generator 6 switches the phase modulator 5 

20 between two phase settings, namely 0° (bit 0) and 180° 

(bit 1) . After depolarisation (further discussed below) the 
dim phase encoded pulses leave the transmitter and propagate 
through a non-phase-maintaining ordinary transmission fibre 
12 before entering a receiver 13. The receiver includes a 

25 polarisation beam splitter (PBS) 14 that effectively acts as 
a random router for the depolarised pulses and gives equal 
probabilities of observing the pulses in the upper or lower 
output branches. The PBS outputs are linearly polarised and 
these polarisation states are preserved by using polarisation 

30 maintaining fibre 1L> for the input pigtails to two further 
w»ivf?tju idc? integrated dolay stages 16 & 17 which aro identical 
with cjcIi other and wuh the delay stage A in the 
r i ,ui:-;riii t t <;r. . The r< » I <j t i ve optica 1 path length difforonco in 
K iw :\<;\. via l.ho h".ilor 18 to give a static phase shilt. of 0° 

35 wh»M<-MS that in 17 i:. :iot to give a static phasn shilt u| 



( 10 

180°. The relative amplitudes and temporal positions of the 
resultant pulse envelopes is shown by 10 and 11 where the 
central peaks represent the pulse component that undergo 
interference. Note that interference occurs because the delay 
5 stages in the transmitter and receiver are identical and 
hence they combine to form a complete MZ device comprising 
two matched length paths. The received bit value is then 
determined as 0 when single-photon detector 19 registers a 
pulse and as 1 when single-photon detector 20 registers a 
10 pulse; thus the detectors 19 and 20 together with respective 
delay stages 16 and 17 constitute the interferometer- 
detectors of the receiver. In this way the passive receiver 
mimics the operation of an active receiver that randomly 
switches between phase shift settings of 0° and 180". In 
15 addition the use of depolarised pulses together with the 
polarisation diversity receiver means that the system is 
insensitive to any fluctuations in the birefringence of the 
transmission fibre. 

The scheme used for the depolariser is shown in 
20 Figure 2. The linearly polarised pulse from the phase 

modulator 21 is injected into polarization beam splitter 25 
after a 45 degree splice 23 between the modulator output 
pigtail 22 and the polarization beam splitter 25 input 
pigtail 24, both made of polarisation maintaining fibre . The 
25 orientation of the splice excites the same amount of power in 
the two principal modes of the polarization maintaining fibre 
of the input pigtail 24. The delay d 26 has to be chosen 
longer than the pulse coherence time and shorter than the 
pulse duration itself to ensure that the delayed and non- 
30 delayed pulses can be recombined into a single pulse without 
creating an interference pattern: this is possible provided 
i ho lnser 2 (figure 1) is a gain-switched semiconductor DFB 
laser because there is a high degree of chirp in the pulses 
I rem a lusor (t ime-bandwidth product typically ton times the 
35 transform limit). A typical value of d would bo ..bout SO ps. 
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The two orthogonally polarised and (now) incoherent beams 27 
and 28 are combined together in a following polarization beam 
splitter 31, by splicing the polarisation preserving output 
pigtails 29 of polarization beam splitter 25 to the 
5 polarisation maintaining input pigtails 30 of polarization 
beam splitter 31. This gives effectively a de-polarised 
pulse 32 slightly longer than the original input pulse at the 
polarisation preserving output pigtail 31 of polarization 
beam splitter 31. 
10 Alternatively if an intrinsically depolarised source of 

light such as amplified spontaneous emission from an optical 
amplifier were employed in the system the depolariser could 
be eliminated. 

The operation of the apparatus shown in the drawings is 

15 as follows: 

Laser 2 generates a regular sequence of linearly 
polarised optical pulses, and attenuator 3 is set to 
attenuate all of them (except possibly a small number of 
pulses to act as time markers) to so low a level that the 

20 probability of a pulse containing even one quantum is about 
0.1. Integrated delay stage 4 splits each of these pulses 
into two time-spaced pulses as seen at 9 (not quite equal 
because of different losses in the two branches) . 

Random number generator 6 provides an input data stream 

25 to phase modulator 5 which is the basis for the eventual key: 
a sequence substantially more than twenty times as long as 
the key is required at this point; the length of the eventual 
key depends on the level of security against code-breaking 
that is desired: for maximum security, the key should be as 

.10 long as the data stream to be encrypted. Phase modulator 5 is 
switched or not, according to the digital value of the 
incoming data stream, between the arrival of the pulses of a 
pair, to create a phase difference for one of the values. 
The dim pulse-pair sequence is depolarised as already 

35 described and sent via the non-polarisation-preserving 
communication fibre 12 to thi? receiver. Depending on the 



length and quality of the fibre and associated equipment, 
some reduction in amplitude and probability of detection will 
arise in consequence of the normal loss mechanisms of the 
] ine . 

5 Thus far, the operation is substantially the same as in 

W097/44936, but on arrival at the receiver 13, in accordance 
with the invention, the pulses are incident on polarisation 
beam-splitter 14 connected through respective polarisation- 
preserving fibre pigtails 15 to both the upper delay stage 16 

10 and the lower one 17, and the result is as if pulses were 
randomly routed to one of the delay stages. 

It will be realised that the delays in interferometers 4 
and 16 or 17 result in the presence of three pulses in each 
bit period by the time the detector 19 or 20 is reached (as 

15 sketched at 10 and 11 in figure 1): each central interference 
pulse is preceded by a leading satellite pulse that was not 
delayed in either interferometer and followed by a lagging 
one that was delayed in both. These satellite pulses carry 
no information, and detection events occurring in the time- 

20 slots corresponding to them are either prevented by gating 
the detectors to be unresponsive in those time slots, or 
disregarded if they do occur. 

Many bit periods (at the amplitude recommended, at least 
90% even in the case of an ideal loss-less installation with 

25 perfect detectors) will not result in either detector firing 
at all, because of the inherently low probability of 
detecting a pulse with an amplitude corresponding to a small 
fraction of one photon. 

When the single-photon detector 19 fires in the time- 

M) slot corresponding to the central interference peak shown 
in 10, a "0" digit is recorded as received in the 
corresponding time-slot: when detector 20 fires in the time- 
slot corresponding to the central interference peak shown 
in 11, ;\ "1" digit is recorded. If the interference 

35 visibility in the i list* 1 .1 nl ion is good (close to unity), then 
with high probability these events only occur when a puJse 



pair is notionally routed to the interferometer that is set 
to detect it. In these cases, the phase shifts in the two 
interferometers in the transmitter and in the receiver are 
equal, resulting in a net phase shift of zero and an 
5 interference maximum. Similarly, it is equally likely that a 
pulse pair is notionally routed to the interferometer- 
detector that was not set to detect it; in these cases the 
net phase shift is 180° corresponding to an interference 
minimum and hence with high probability no detection event 
10 occurs. All such "absences" are disregarded, as are rare but 
not totally absent timeslots in which both detectors fire, 
either because corresponding pulses have been of sufficient 
amplitude for there to be a detectable output at both output 
ports of the polarisation beam splitter or because of random 
15 noise or other stochastic events. 

The pulse sequence as detected is recorded, and the 
receiver notifies the transmitter (by any suitable 
communication line, which need not be secure) the numbers of 
the bit periods in which a detection was made (but not the 
20 digit value that was detected) . The receiver extracts the 
corresponding digits from its own record of the transmitted 
digit sequence, and in the absence of errors, this should be 
identical with the digit sequence recorded by the receiver. 
In practice, it is likely that some errors will have occurred 
25 even if no eavesdropper was present on the channel. These 

errors can arise from imperfect interference (visibility less 
than one) or from detector dark counts, for example. It is 
impossible in principle to distinguish these errors from 
i hose caused by eavesdropping, hence all errors are 
30 conservatively treated as if generated by an eavesdropper. 
II the error rate is sufficiently low (typically of the order 
ol ,.i few percent in practice), then known error-correction 
.md 'privacy amplification' techniques can be employed to 
■ li.it.il from the initial bit sequence a smaller amount of 
?s hiqhly .secret key about which an eavesdropper is very 
:!iilikoly to know even a single bit. The transmitter and 
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receiver perform error-correction by publicly comparing the 
parities of blocks of their data, and where these do not 
match, performing a bisective search within the block to 
identify and discard (rather than correct) the error [see 

5 e.g. C. H. Bennett, F. Bessette, G. Brassard, L. Salvail and 
J. Smolin, 'Experimental Quantum Cryptography', Journal of 
Cryptology, 5 3-28 (1992)]. In this way they can derive a 
shared, error free, random bit sequence from their raw data 
together with a measurement of the error rate and hence an 

10 estimate of the amount of information that may have been 

obtained by an eavesdropper. If, for example, the transmitter 
and receiver calculate that an eavesdropper may know the 
values of e bits of an error-corrected string that is n bits 
long, they can generate from this data a highly secret key 

15 with a length of m bits, where m is approximately equal to 
n-e, simply by computing (but not announcing as in error- 
correction) the parities of m publicly agreed-on random 
subsets of their data. This process is known as privacy 
amplification (for further details, see e.g. C. H. Bennett, 

20 G. Brassard, C. Crepeau and U. Maurer, ^Generalized Privacy 
Amplification', SIAM Journal on Computing, 17 210-229 
(1998)]. The final stage of the process is for the 
transmitter and receiver to authenticate their public channel 
discussions using an inf ormation-theoreticall y secure 

25 authentication scheme (see e.g. M. N. Wegman and J. L. 

Carter, 'New Hash Functions and their use in Authentication 
and Set Equality', J. Computer and System Sciences, 22, 265- 
219 (1981)]. This is to protect against the powerful attack 
in which an eavesdropper breaks in to the public channel and 

?o impersonates the transmitter to the receiver and vice-versa . 
After privacy amp! i f i cat i on and authentication the 
I ivmsmitter rind receiver are in possession oi a shared, 
secret bit sequence. All or uny selected segment of this bit 
.•■.equencc can i>«: used as a .see rut. key tor any standard (or 

?s li'Mi-.st. andar d) encryption technique:, or can be expanded usinq 
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one of the algorithms readily available for the purpose to 
generate a longer key. 

In the apparatus shown in Figure 1, the modulator 5 is a 
distinct component. A more difficult but potentially 

5 beneficial option is to integrate it into one of the limbs of 
the interferometer 4. 

It will be noted that the technique described does not 
provide for or rely on bright pulses as required for strict 
conformity with the Bennett 1992 protocol: if desired, it can 

io be modified to do so, simply by modifying the splitters and 
recombining couplers in each of the interferometers so that a 
large proportion (say 90%) of the incident light is routed to 
the short branch, so that the leading satellite pulses are 
greatly enlarged (and the trailing ones reduced) . 

15 The method and apparatus can also be modified, if 

desired, to operate in accordance with the Bennett- 
Brassard 1984 protocol, a previous experimental 
inlerferometric implementation of which was described in the 
paper by Marand and Townsend identified above. This protocol 

20 differs from the Bennett 1992 scheme in that there are now 
two different coding representations, A and B, for one and 
zero, where A is defined as: 0' = "0", 180° = "1" and B is 
defined as: 90° - "0", 270° = "1". In addition two different 
measurement phase shifts are used in the receiver, A: 0° and 

25 B: 90°. In the receiver illustrated by figure 3 the upper 
interferometer 35 is set to measure representation A and the 
lower interferometer 36 is set to measure representation B. 
Each interferometer is connected by dual-output couplers (for 
instance single-mode directional couplers or multimode 

30 interference couplers to two detectors, respectively 37, 38 
,ind 39, 40. The relative probabilities of the various 
moo aur erne nt outcomes are indicated as before by the satellite 
.jiwJ interference peak amplitudes, which are shown at 41, 42, 
4», and 44. As before, only detection events in the central 
35 iritcrlfi.jiif.-c peaks carry information. In the rases where an 
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A-representation pulse pair is notionally routed to 
interferometer 35, a coding value of "1" will lead to 
detector 37 firing (amplitudes as shown at 41) and a coding 
value of "0" will lead to detector 38 firing (42). Similarly 

5 in the cases where a B-representation pulse pair is 

notionally routed to interferometer 36, a coding value of "1" 
will lead to detector 39 firing (43) and a coding value of 
"0" will lead to detector 40 firing (44). In these instances 
the net phase shift in the interferometers is either 0° or 

10 180° and hence the outcomes are, except with small probability 
due to imperfect interference visibility and detector noise, 
deterministic and the transmitted information is accurately 
received. In contrast, in the instances (about half on 
average) where an A-representation pulse pair is notionally 

15 routed to the interferometer set to detect B-representation 
or vice-versa, the net phase shift in the interferometer is 
either 90° or 270° and so the outcome is probabilistic with 
the receiver equally likely to indicate a "1" or a "0". These 
events are discarded during the post-transmission public 

20 discussion phase of the protocol and hence do not lead to 
errors in the final key. As before any coincidence events 
between any two or more of the four detectors are also 
discarded. The use of two incompatible coding representations 
according to this protocol is intended to ensure that an 

25 eavesdropper who might intercept and re-send the bit sequence 
will generate errors in instances where the transmitter and 
receiver have used compatible representations, and so alert 
legitimate users to the possibility that an eavesdropper is 
[it osent. . 

M) U desired, the phase modulator f> may be integrated into 

ti-.M interferometer 4 by making at least part tit the latter of 

■ , in.tt ferial which is intrinsically ol ectr o-opt Leal ly active, 

■ «mii be made so, e.g. by "poling" a glass or ;i polymer, and 
i i nq the heaters 18 with electrodes. Similarly, the 

vs .-i.-.-i |, ,-<>pL U: effect in an elect r o-opt. Lea 1 I y .iclive material 
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could be used to adjust the phase-shifts in the receiver 
interferometers 16 and 17 (or 35 and 36, as the case may be) - 

The foregoing description has assumed that the 
polarisation beam splitter is a separate, conventional micro- 
5 optic component with fibre connections. While this is 

effective and reliable, there may be advantages in using a 
polarisation beam splitter of a type that can be implemented 
in a planar waveguide, so permitting the polarisation beam 
splitter and both the receiver interferometers to be 
10 integrated on a single chip. A suitable form is proposed in a 
paper by llashizume et al in Electronics Letters vol 37 no. 25 
(6th December 2001) pages 1517-8, to which reference should 
be made for a fuller explanation of its mode of action. This 
consists essentially of a planar Mach-Zehnder interferometer 
15 structure in which the two limbs differ in the width of their 
waveguides, and thus differ in birefringence. As seen in 
Figure 4, the incoming datastream from the transmitter is 
divided by a 50:50 splitter 45 between the limbs 46, 47 of a 
silica-glass based planar waveguide interferometer. Limb 46 
20 is much wider than limb 47 for most of its length and thus 
has a significantly greater birefringence; to minimise the 
influence of taper sections 48, 49, like taper sections 50, 
51 are inserted in the narrow limb 47. The two limbs come 
together in a 4-port 50:50 coupler-splitter 52 and its two 
2> output ports are connected to interferometer-detectors (not 
shown here but corresponding to 16/19 and 17/20 in the 
apparatus of Figure 1, and function in substantially the same 
way . 

It is also possible to modify the transmitter by 
>o implementing the depolariser in a planar waveguide, so 

pormitt inq the depolariser and the other components ot the 
transmitter to be integrated on a single chip (in the case 
wh<;ro the phase modulation function is also integrated into 
I ho chip .is described above). Figure 5 shows one 1 firm of 
.nMiUMii.il <1o|.m1.u iser section that could be added al t Ik; 
output m1. the- transmitter section. The polarisation ol tin; 
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pulses from the transmitter output (53) are rotated 45° by a 
half-wave plate 54 that is inserted into a slot formed 
perpendicular to the waveguide. Two polarisation splitter/ 
combiners 55/ 56 as described by Hashizume et al are 
5 separated by a delay section 57 incorporating a delay 

loop 58. The output port 59 is connected to the transmission 
£ ibre . 

Any discussion of the background to the invention herein 
is included to explain the context of the invention. Where 

10 any document or information is referred to as "known", it is 
admitted only that it was known to at least one member of the 
public somewhere prior to the date of this application. 
Unless the content of the reference otherwise clearly 
indicates, no admission is made that such knowledge was 

15 available to the public or to experts in the art to which the 
invention relates in any particular country (whether a 
member-state of the PCT or not), nor that it was known or 
disclosed before the invention was made or prior to any 
claimed date. Further, no admission is made that any document 

20 or information forms part of the common general knowledge of 
the art either on a world-wide basis or in any country and it 
is not believed that any of it does so with the exception of 
the Bennett/Brassard quantum cryptography protocol. 
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CLAIMS 

1 A method of establishing a key between a transmitter and 
receiver by quantum cryptography using a non-polarisation- 
preserving optical link in which the transmitter sends to the 

5 receiver a signal comprising pairs of effectively unpolarised 
dim pulses obtained by delaying a fraction of the signal by a 
constant predetermined time interval; and in which at the 
receiver a component of the signal that is polarised in a 
predetermined direction is selected, and the relative phases 

10 of pulse pairs in that component are determined by delaying a 
substantially equal fraction of the signal by substantially 
the same predetermined interval, so that the pulses that were 
delayed in the transmitter but not in the receiver are 
brought into coincidence with those which were delayed in the 

15 receiver but not in the transmitter, whereby interference 
occurs, and phase differences between pairs of pulses are 
distinguished by observations responsive to the nature of 
such interference characterised by selecting at the receiver 
two orthogonally polarised components and separately 

20 detecting the relative phase of pulses in each of those 
components. 

2 A method as claimed in claim 1 comprising setting one 
interferometer in the receiver to continuously detect one 
phase coding representation and the other interferometer to 

25 continuously detect the other phase coding representation. 

3 A method as claimed in claim 1 or claim 2 comprising 
obtaining pulses from an inherently unpolarised source. 

4 A method as claimed in claim 1 or claim2 comprising 
obtaining pulses from a linearly polarised source by a 

30 "depolariser" that splits light into two substantially equal 

components, rotates the plane of polarisation of one of the 

components by 90° and then recombines them. 

'i A method as claimed in any one of claims 1-4 in which 

the said fraction is half. 
35 (, A method as claimed in any one of claims 1-4 in which 
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the said fraction is much smaller than a half, so as to 
generate bright leading satellite pulses 
7 A method as claimed in claim 6 in which the said 
fraction is substantially one tenth. 
5 8 A method as claimed in any one of claims 1-7 comprising 
using two different phase codings so that the method complies 
with the Bennett-Brassard protocol. 

9 A method as claimed in any one of claims 1-8 comprising 
using in the transmitter an integrated phase modulator and 

10 interferometer . 

10 A method as claimed in claim 9 comprising using in the 
transmitter a depolariser implemented in a planar waveguide 
and integrated on a single chip with the phase modulator and 
interferometer. 

15 11 Apparatus for use in quantum cryptography comprising at 
least a receiver that comprises an interferometer-detector 
for determining phases of pulses in a duplicate sequence that 
was formed by delaying in a transmitter a fraction of the 
signal by a predetermined interval, the interf erometer- 

20 detector delaying a substantially equal fraction of the 

signal by substantially the same predetermined interval, so 
that the pulses that were delayed in the transmitter but not 
in the receiver are brought into coincidence with those which 
were delayed in the receiver but not in the transmitter, 

25 whereby interference occurs, and phase differences between 
pairs of pulses are distinguished by observations responsive 
to the nature of such interference characterised in that it 
includes two such interferometer-detectors and a polarisation 
beam-splitter for giving dim pulses access to both of the 

50 interferometer-detectors . 

\2 Apparatus as claimed in claim 11 in which one 
ini-erf orometer in the receiver is set to continuously detect 
inn-! phijae coding representation and the other inter lei ometer 
t<; cfHit i nuously dolK.:f the other pha.se coding represent at ion . 

vs I'. Apparatus as claimed in claim 11 or claim 12 comprising 
• in inherently unpolarised pul.se source. 
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14 Apparatus as claimed in claim 11 or claim 12 comprising 
a linearly polarised pulse source and a "depolariser" that 
splits light into two substantially equal components, rotates 
the plane of polarisation of one of the components by 90° and 

5 then recombines them. 

15 Apparatus as claimed in any one of claims 11-14 in which 
the said fraction is half. 

16 Apparatus as claimed in any one of claims 11-14 in which 
the said fraction is much smaller than a half, so as to 

10 generate bright leading satellite pulses 

17 Apparatus as claimed in claim 16 in which the said 
fraction is substantially one tenth. 

18 Apparatus as claimed in any one of claims 11-17 that 
includes also a transmitter comprising a source of randomly 

15 phase-encoded pairs of effectively unpolarised dim optical 
pulses and a non-phase-maintaining optical fibre for 
transmitting such pulses to the receiver. 

19 Apparatus as claimed in any one of claims 11-18 in which 
the transmitter includes a modulator what applies two 

20 different phase codings so that operation of the apparatus 
complies with the Bennett-Brassard protocol. 

20 Apparatus as claimed in any one of claims 11-19 in which 
the transmitter includes an integrated phase modulator and 
interferometer. 

25 21 Apparatus as claimed in claim 20 in which the 

transmitter includes a depolariser implemented in a planar 
waveguide and integrated on a single chip with the phase 
modulator and interferometer. 

22 Apparatus as claimed in any one of claims 11-21 
3() including also recording means at the transmitter for 
maintaining a record of the transmitted pulse sequence, 
recording means at the receiver for maintaining a record of 
the results of phase measurements made by the inter ferometer- 
<1'M. tictors and a further communication channel between the 
>s n/coiver and the transmitter. 

;•' J A quantum-cryptographic method of establishing a key 
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substantially as described with reference to the drawings 
24 Apparatus for quantum cryptography substantially as 
described with reference to the drawings. 
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